+ ((www @) :tlsa (:https (:service-certificate-constraint
+ :certificate :sha-256 #p"http-server-www#1")))
+ (git :tlsa (:https (:trust-anchor-assertion
+ :certificate :sha-256 #p"distorted-ca")))
+ (www-cache :tlsa (3127 (:trust-anchor-assertion
+ :certificate :sha-256 #p"distorted-ca")))
+ (mail :tlsa ((:smtp :submission :imap)
+ (:trust-anchor-assertion
+ :certificate :sha-256 #p"distorted-ca")))